This is required, because when TPM HW available (i.e. -c /dev/tpm0),
evmctl ima_boot_aggregate returns sha1:xxxx.
skip requires to move cleanup().
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
[zohar@linux.ibm.com: move test so it works with sample logs]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The existing variable names swtpm and swtpm1 is confusing. Rename
"swtpm" to "tpm_server" and "swtpm1" as "swtpm".
Suggested-by: Ken Goldman <kgoldman@us.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The software TPM might not be listening for commands yet. Try re-sending
the tssstartup.
Reported-by: Ken Goldman <kgoldman@us.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The default value raw is appropriate for 'swtpm'. tpm_server
uses the Microsoft packet encapsulation, so the env variable
must have the value mssim.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
Fixes: f831508297cd ("Install the swtpm package, if available")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The "boot_aggregate.test" requires either a hardware or software TPM.
Support using the swtpm, if packaged for the distro, in addition to
tpm_server.
Note: Some travis/<distro>.sh scripts are links to other scripts.
Don't fail the build of the linked script if the swtpm package doesn't
exist.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Acked-by: Bruno Meneguele <bmeneg@redhat.com>
cmp is not by default installed on some containers
(unlike other tools e.g. cut, tr from coreutils or grep).
Also cmp implementation from busybox doesn't support -b, thus detect it.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>(Fedora,CentOS 8(RHEL actually))
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
tpm2-software is being packaged in major distros nowadays.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>(Fedora,CentOS 8(RHEL actually))
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Some distros in Travis CI (e.g. Debian and Ubuntu) have problems with
downloading from sourceforge.net due unknown certificate issuer:
--2020-08-11 14:47:51-- https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download
Resolving sourceforge.net (sourceforge.net)... 216.105.38.13
Connecting to sourceforge.net (sourceforge.net)|216.105.38.13|:443... connected.
ERROR: The certificate of 'sourceforge.net' is not trusted.
ERROR: The certificate of 'sourceforge.net' doesn't have a known issuer.
This is a preparation for future commit (moving to docker based Travis CI).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>(Fedora,CentOS 8(RHEL actually))
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Running the "boot_aggregate" test without a physical TPM, requires
installing and initializing a software TPM. For now, use the same
method of initializing the TPM, based on the IBM tss, for both the
IBM and Intel's tss.
Build both the IBM and INTEL's tss.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks. In test environments without a physical TPM, a software
TPM may be used, but requires initializing the TPM PCRs. By walking and
replaying the TPM event log, a software TPM may be properly initialized.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks. In test environments without a physical TPM, a software
TPM may be used.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
boot_aggregate test make use of a software TPM 2.0 in case it doesn't find
any /dev/tpm0 in the system or if the test is ran as a normal user. However,
when the system has a discrete TPM 1.2 and the user runs the test with a
non-root user evmctl fails to return the software TPM 2.0 boot aggregate
value because it tries to access TPM 1.2 the sysfs PCRs file and,
consequently, the test fails. Thus TPM 2.0 log test is not supported on
systems with a discrete TPM 1.2
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Searching for the last "boot_aggregate" record in the measurement list
could inadvertently match a filename containing the string
"boot_aggregate". Prevent this from happening.
Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
display_pcrs() should include PCRS 8 - 9 as they are non-zeros on some
systems. boot_aggregate may span PCRs 0 - 9 so check()'s info message
should be fixed accordingly.
Signed-off-by: Maurizio Drocco <maurizio.drocco@ibm.com>
Use the "functions.sh" tty color scheme, which defines SKIP as CYAN.
FAILURE: RED (31)
SUCCESS: GREEN (32)
SKIP: CYAN (36)
Should VERBOSE or informational messages be color coded?
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
For each kexec, an additional "boot_aggregate" will appear in the
measurement list, assuming the previous measurement list is carried
across kexec.
Verify that the last "boot_aggregate" record in the IMA measurement list
matches. The "boot_aggregate" is either the last field (e.g. "ima-ng")
or the second to last field (e.g. "ima-sig") in the measurement list
record.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Calculate the boot_aggregate for each TPM bank and verify that the
boot_aggregate in the IMA measurement list matches one of them.
A software TPM may be used to verify the boot_aggregate. If a
software TPM is not already running on the system, this test
starts one and initializes the TPM PCR banks by walking the sample
binary_bios_measurements event log, included in this directory, and
extending the TPM PCRs. The associated ascii_runtime_measurements
for verifying the calculated boot_aggregate is included in this
directory as well.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Run `make check' to execute the tests.
This commit only adds ima_hash test.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Newer automake does not like to put programs and scripts
to lib directory. Use libexec instead.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Directory integrity verification requires directory hash value
to be set to security.ima.
This patch provides directory hash calculation.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
For debugging purpose it is nice to have evm hmac calculation for
labeling filesystem using hmac.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
evmctl provides signing support for IMA/EVM.
Functionality includes signing of file content (IMA), file metadata (EVM),
importing public keys into kernel keyring.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
